Re: Fixing glib2.0 CVE-2024-34397 in buster

To: Simon McVittie <smcv@debian.org>, debian-lts@lists.debian.org
Cc: glib2.0@packages.debian.org, Markus Koschany <apo@debian.org>
Subject: Re: Fixing glib2.0 CVE-2024-34397 in buster
From: Sylvain Beucler <beuc@beuc.net>
Date: Sat, 11 May 2024 18:34:55 +0200
Message-id: <[🔎] ef5e1f87-e9eb-4085-b9ed-1e0fd88551d7@beuc.net>
In-reply-to: <[🔎] Zj426Ku7NEa0fSg8@remnant.pseudorandom.co.uk>
References: <[🔎] Zj426Ku7NEa0fSg8@remnant.pseudorandom.co.uk>

Hello Simon,

Markus (apo) claimed the package yesterday after your message.

For clarity I'm CC:ing him here, and I added a note in data/dla-needed.txt.
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt

Also, thanks for the testing procedure :)

Cheers!
Sylvain Beucler
Debian LTS Team

On 10/05/2024 17:02, Simon McVittie wrote:

Please cc either me or the glib2.0 package's address on any replies that
are relevant outside the LTS team: I am not subscribed to -lts.

Normally I don't attempt to support any packages in the LTS distributions,
but for glib2.0 I was the author of the original CVE fix and it turns
out that I might need a buster-compatible version of it for my day job,
so I've done a prototype backport to buster:
https://salsa.debian.org/gnome-team/glib/-/merge_requests/39
(git fetch https://salsa.debian.org/gnome-team/glib wip/cve-2024-34397/buster)

This incorporates:

* the original CVE fixes developed under embargo and released to bookworm
   and bullseye as DSA 5682-1, to unstable as 2.80.0-10, and to Ubuntu
   (the version used here is very similar to the one in bullseye, but with
   even more conflict resolution)

* automated test coverage for the CVE fix, released in the same versions
   as above (again the version used here is very similar to the one in
   bullseye, with minor adjustments to avoid requiring newer APIs)

* a fix for a serious regression in ibus introduced by the CVE fixes,
   released to bookworm and bullseye as DSA 5682-2, to unstable in 2.80.1-1,
   and to Ubuntu

* a fix for a minor/rare memory leak introduced by a prerequisite patch
   backported as part of the CVE fixes (see #1070851), released to unstable
   in 2.80.2-1 but not yet fixed in bookworm/bullseye or Ubuntu; this seems
   low-risk, but can be dropped/reverted if it makes the LTS team unhappy

Please could whoever handles this in the LTS team take over review/testing
from this point, and let me know if there are any problems?

In the newer suites, this update was accompanied by a fix for gnome-shell,
in which screencasting/screen-recording would have regressed after fixing
the vulnerability. In buster, my understanding is that this will not be
necessary, because GNOME Shell 3.30.x is too old to have had the relevant
bug; but I have not tested a full buster system.

I would recommend testing:

* build-time tests

* autopkgtest

* general use of GNOME

* gnome-shell: whatever screen recording or screencasting functionality was
   present in buster, if any (I don't remember what was offered in 3.30.x)

* ibus: Compose key, dead keys, and ideally non-Latin input
   (e.g. Japanese with mozc)

Thanks,
     smcv

Reply to:

References:
- Fixing glib2.0 CVE-2024-34397 in buster
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: (E)LTS report for April 2024
Next by Date: Re: Fixing glib2.0 CVE-2024-34397 in buster
Previous by thread: Fixing glib2.0 CVE-2024-34397 in buster
Next by thread: Re: Fixing glib2.0 CVE-2024-34397 in buster
Index(es):
- Date
- Thread